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1 REMARKS 

2 These remarks follow the order of the paragraphs of the office action. Relevant portions of the 

3 Office action are shown indented and italicized. 

4 Claims 1-15 remain in the application. New claims 16-20 are added to better protect thye 

5 invention for the applicants. 

6 DETAILED ACTION 

7 Claim Rejections 35 US §102 

8 The following is a quotation of the appropriate paragraphs of 35 U&C 102 that form 

9 the basis for the rejections under this section made in this Office action: 

10 A person shall be entitled to a patent unless — 

11 (b) the invention was patented or described in a printed publication in this or a 

12 foreign country or in public use or on sate in this country, more than, one year prior to 

1 3 the date of application for patent in the United States. 
14 

15 Claims 1-15 are rejected under 35 U.S.C. 102(h) as being anticipated by 5. Ma, etal, 

1 6 "EventMiner » : An integrated mining tool for Scalable Analysis of Event Data " t May 2L 

17 2001 , www.researchibm.conL 

1 8 In response, applicants respectfully state that the present invention is not anticipated by S. Ma, et 

19 al. The present invention provides methods for monitoring events in a computer network, said 

20 computer network triggering said events, wherein each event is provided with attribute values 

21 allocated to a given set of attributes. It provides methods, apparatus and systems for monitoring 

22 events in a computer network enabling an operator of an intrusion-detection system to 

23 simultaneously monitor various event attribu tes versus the arrival time of the events. 

24 The cited reference, S, Ma, et al., indeed presents other event mining methods. That 

25 visualization method using a two-dimensional mapping technique of arbitrary event attributes 

26 versa arrival time enabling an operator to analyze the event history. A distinct disadvantage of 

27 this method is that only one of the event attributes may be plotted versus the arrival time of the 

28 events. Thus, the operators have to switch continuously between the various event attributes to 
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1 make sure that they do not miss a significant event pattern. The disadvantages of S. Ma et al.> are 

2 overcome with the invention claimed in claims 1-15. Often, the passages cited in the office 

3 action apparently fail to show what is alleged in the office action. Thus claims 1-1 5 are 

4 allowable. 

5 In particular, claim 1 reads, 

6 1 . (original) A method of monitoring events in a computer network, the method 

7 comprising: 

8 said computer network triggering said events, each event being provided with attribute 

9 values allocated to a given set of attributes, 

1 0 providing an event display with a cross plot having x and y coordinate axes, the x-axis 

1 1 presenting a time period and the y-axis presenting an attribute value range, 

12 determining a primary attribute of the events selected from the given set of attributes to 

13 be presented with its attribute values on the y-axis of the cross plot, 
14 

15 allocating a first display label to the events indicating the attribute values of the primary 

1 6 attribute, providing a pattern algorithm to detect whether an arrived event is part of the 

17 given pattern on the basis of a comparison of the attributes allocated to the given pattern 

1 8 and of the attributes assigned to the arrived event, providing a mapping algorithm to map 

19 any attribute value of an attribute selected from the given set of attributes onto the y-axis 

20 of the cross plot, 

21 allocating a second display label to the events indicating the attribute values of the 

22 attributes being uncovered as part of the given pattern, plotting all the events arrived 

23 within the time period and including an attribute value allocated to the primary attribute 

24 into the cross plot with the first display label indicating the primary attribute, the position 
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1 of the first display label of each event in the cross plot being determined on the basis of 

2 the attribute value of the primary attribute of the event and its arrival time, and 

3 plotting the all events arrived within the time period and being detected by means of the 

4 pattern algorithm as part of the given pattern into the cross plot with the second display 

5 label indicating the givea pattern, the position of the second display label of each event in 

6 the cross plot being deteimined by the mapping algorithm on the basis of the attribute 

7 value of the attribute of the event being uncovered as part of the given pattern and its 

8 arrival time. 

9 This is not in Ma. The office action reads: 

10 Claim 1: Ma teaches a method of monitoring events in a computer network, the method 

1 1 comprising: 

12 Said computer network triggering said events, each event being provided with 

13 attribute values allocated to a given set of attributes (See Page 1, second paragraph, for 

14 attribute values, see the last paragraph of Page 6 and the first and second paragraphs of 

1 5 Page 8 and the real data set collected from a production computer network containing 

16 thousands of managed nodes including routers, hubs and servers are described in the last 

17 paragraph of page 3 and identifying unknown event patterns that can be used for 

18 real-time monitoring is described in the second paragraph of page 3); 

1 9 Providing an event display with a cross plot having x and y coordinate axes, the 

20 X-axis presenting a time period and the y-axis present an attribute value range (e.g., 

2 1 Figs. 2, 4, 6, 7 and the third paragraph of Page 8 describes a scatter plot or cross plot 

22 having an y-axis representing around 160 hosts of a communication network and the x 

23 axis has been described in the figures as well as the first paragraph of page 6; for 

24 attribute value rang; see these figures as well as the description in the second paragraph 

25 of Page 8); 

26 Determining a primary attribute of the events selected from the given set of 

27 attributes to be presented with its attribute values on the y-axis of the cross plot (e.g., 

28 attributes including the categorical attributes or temporal attributes such as the host 

29 names and the primary attribute values are displayed in Figs. 2, 4, 6 and 7 and multiple 

30 attributes are described in the last paragraph of Page 11), 

31 In response, applicants respectfully state that there is apparently no indication that Ma. Performs 

32 a step of detennining a 'primary attribute', as in claim 1 . In claim 1 , in order to differentiate the 

33 events associated with the primary attribute from the events being part of the interesting event 

34 pattern, a first display label is assigned to all events including a primary attribute value and a 
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1 second display label is assigned to all events indicating the attribute values of the attributes being 

2 uncovered as part of the relevant event pattern. By using the inventive method of monitoring 

3 events, the event display presents a plot of information of the main event attribute versus the 

4 arrival time of the event by using a first display label for the plotted events wherein the 

5 interesting event pattern derived from other event attributes is simultaneously presented by using 

6 the second display label for these events. If the operator of the intrusion detection system wants 

7 to investigate the events being detected as part of a given pattern in more detail, he can easily 

8 switch to the corresponding event attribute by selecting a mark of the second display label in the 

9 cross plot 

1 0 The office action reads: 

1 1 Allocating aftrst display label (e.g., Pattern 1, Pattern 2, Pattern 3 and Pattern 4 

12 are marked in the scatter plot or the cross plot of Fig. 7) to the events (e.g. alarms in 

13 Page 10) indicating the attribute values of the primary attribute (key attribute values are 

14 described in the second paragraph of page 3 and other attribute values are also 

15 described there), providing a pattern algorithm (the pattern algorithm is described in 

16 Fig> 7 as well as the mining algorithm as described in the last paragraph of page 12 or 

17 the EventMiner) to detect whether an arrived event (arrived event are the selected event 

18 objects or the selected data objects in a specific time range related to the events 

19 progressively loaded from a database or the mining alarm logs in a real time system; see 

20 first paragraph of page 13 and the last paragraph of page 10 and a new query that 

2 1 retrieves the relevant data objects for more analysis in which a new query is restricted to 

22 a range constraint for a numerical attribute; see the last paragraph of page 10) is part 

23 of the given pattern (is part of the part of the given pattern such as the Pattern 1 or the 

24 Pattern 2) on the basis of a comparison of the attributes allocated to the given pattern 

25 and of the attributes assigned to the arrived event (coloring events by the coloring and 

26 ' filtering algorithm or the data mining algorithm and comparing the difference or 

27 similarity in terms of patterns indicated by colors; see page 13), providing a mapping 

28 algorithm to map any attribute value of an attribute selected from the given set of 

29 attributes onto the y-axis of the cross plot (see the last paragraph of Page 11), 

30 In response, applicants respectfully state that there is apparently no indication that Ma. Performs 

3 1 a step related to a 'primary attribute' , as in claim 1 . Although Ma has a display, Ma apparently 

32 do not 

33 allocate a "display label to the events indicating the attribute values of the primary 

34 attribute/' nor do Ma 
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1 provide, "a pattern algorithm to detect whether an arrived event is part of the given 

2 pattern on the basis of a comparison of the attributes allocated to the given pattern and of the 

3 attributes assigned to the arrived event, etc. 

4 Allocating a second display label (e.g.. Pattern 2) to the events indicating the 

5 attribute values of the attributes being uncovered as part of the given pattern, plotting all 

6 the events arrived within the time period and including an attribute value allocated to 

7 the primary attribute into the cross plot with the first display label indicating the primary 

8 attribute the position of the first display label of each event in the cross plot being 

9 determined on the basis of the attribute value of the primary attribute of the event and its 

10 arrival time (see Figs. 2 ? 4, 6, and 7 and the related paragraphs mentioned above in 

1 1 "allocating a first display label), and Plotting the all events arrived within the time 

12 period (Figs. 2, 4, 6, and 7 plot the all events within a specific time range) and being 

13 detected by means of the pattern algorithm (by the event miner algorithm) as part of the 

14 given pattern into the cross plot with the second display label (e.g., Pattern 2 or the 

15 Green Spike in Fig. JO), the position of the second display label of each event in the cross 

16 plot being determined by the mapping algorithm on the basis of the attribute value of the 

17 attribute of the event (see Fig. 10) on the basis of the attribute value of the attribute of the 

1 8 event being uncovered (uncovered for example in the alarm log and uncovered by the 

1 9 mining algorithm) as part of the given pattern and its arrival time (all the selected events 

20 are in a specific time range as plotted in Figs. 2, 4, 6. 7 and 1 0). 

21 In response, applicants respectfully state that there is apparently no indication that Ma. Performs 

22 a step related to a 'primary attribute', as in claim I . Although Ma has a display, Ma apparently 

23 do not have a second display. The 'Pattern 2' of Ma, is not concerned with the second display of 

24 claim 1 's step of "allocating a second display label to the events indicating the attribute values of 

25 the attributes being uncovered as part of the given pattern, plotting all the events arrived within 

26 the time period and including an attribute value allocated to the primary attribute into the cross 

27 plot with the first display label indicating the primary attribute, the position of the first display 

28 label of each event in the cross plot being determined on the basis of the attribute value of the 

29 primary attribute of the event and its arrival time." 

30 Nor is the plot of Ma, concerned with the step of claim 1 for, "plotting the all events arrived 

3 1 within the time period and being detected by means of the pattern algorithm as part of the given 

32 pattern into the cross plot with the second display label indicating the given pattern, the position 

33 of the second display label of each event in the cross plot being determined by the mapping 
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1 algorithm on the basis of the attribute value of the attribute of the event being uncovered as part 

2 of the given pattern and its arrival time." In the method of Ma, only oqe of the event attributes 

3 may be plotted versus the arrival time of the events. Thus, the operators have to switch 

4 continuously between the various event attributes to make sure that they do not miss a significant 

5 event pattern. The disadvantages of S. Ma et al., are overcome with the invention claimed in 

6 claims 1. Thus, claim 1 and all claims that depend on claim 1 are allowable. 



7 Re Claims 2-3: 

8 Ma farther discloses selecting the new events within the specified time period and 

9 plotting the new events within the shifted time period into the cross plot (See Figs, 6, 7,9 

10 and 10 in which events in the two time periods are drawn and the spikes are identified 

1 1 and the newly selected events are redrawn as determined by the data mining algorithm 

12 for the time period during which the new events are retrieved). 

13 In response, applicants respectfully state that claims 2 and 3 read, 

14 2. The method according to claim 1 , further comprising: 

1 5 recording the attribute values and the arrival time of a new event, determining on the 

1 6 basis of the recorded attribute values of event whether or not the newly arrived event 

1 7 includes an attribute value of the primary attribute, and if the newly arrived event 

18 includes the attribute value for the primary attribute shifting the x-axis of the cross plot so 

19 that the time period being presented on the x-axi$ covers the arrival time of the event, and 

20 plotting the event arrived within the shifted time period into the cross plot with the first 

2 1 display label indicating the primary attribute. 

22 3. The method according to claim 2 comprising the further steps of: 

23 detennining on the basis of the recorded attribute values of event whether or not the 

24 newly arrived event is part of the given pattern on the basis of a comparison of the 
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1 attributes allocated to the given pattern and of the attributes assigned to the arrived event, 

2 

3 if the newly arrived event includes an attribute value of the given pattern adding the event 

4 to the previous events being detected as part of the given pattern, and 

5 redrawing all the events being associated with given pattern in the cross plot. 

6 As noted Ma's method is that only one of the event attributes may be plotted versus the arrival 

7 time of the events. Thus, the operators have to switch continuously between the various event 

8 attributes to make sure that they do not miss a significant event pattern. Ma is not concerned with 

9 the 'primary attribute' nor for a plurality of event attributes, as in claims 2 and 3 which are 

1 0 allowable over Ma et al. 

11 Re Claims 4-5: 

12 Ma farther discloses the third display label and the fourth display label indicating the 

13 new patterns (See the three colored spikes in Fig. 6 and the four patterns in Fig- 7). 

14 In response, applicants respectfully state that the indicating of new patterns in Ma, is not the steps 

15 of claim 4. Ma do not test as in claim 4, "if the newly arrived event does not include an attribute 

16 value of the given pattern." Nor do Ma determine, "on the basis of the recorded attribute 

17 values of all previous arrived events by means of the pattern algorithm whether or not the 

18 newly arrived event is part of a new pattern on the basis of a comparison of the attributes 

19 allocated to the new pattern and of the attributes assigned to the arrived events." Nor do 

20 Ma test, "if the newly arrived event forms together with previous recorded events the new 

21 pattern," Nor do Ma allocate, "a third display label to the events indicating the attribute values of 

22 the attributes being uncovered as part of the new pattern." Certainly, Ma does apparently not 

23 perform the step of, "plotting the all events being detected by means of the pattern algorithm 

24 as part of the new pattern into the cross plot with the third display label indicating the new 

25 pattern, the position of the third display label of each event in the cross plot being determined by 
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1 the mapping algorithm on the basis of the attribute value of the attribute of the event being 

2 uncovered as part of the new pattern and its arrival time. Thus claim 4 is allowable over Ma. 

3 Similarly, Ma are not concerned with a 'primary attribute nor with the step of claim 5, of 

4 removing all the events including an attribute value allocated to the primary attribute_fe ftm 

5 the cross plot if a primary attribute to be presented with its attribute values on the y-axi$ of the 

6 cross plot is changed, allocating a fourth display label to the events indicating the attribute values 

7 of the new primary attribute," nor with the step of, Votting all the events arrived within the time 

8 period and including an attribute value allocated to the new primary attribute into the cross plot 

9 with the fourth display label indicating the new primary attribute, the position of the fourth 

10 display label of each event in the cross plot being determined on the basis of the attribute value 

11 of the primary attribute of the event and its arrival time," nor with the step of, "if a primary 

12 attribute to be presented with its attribute values on the y-axis of the cross plot is changed, 

13 allocating a fourth display label to the events indicating the attribute values of the new primary 

14 attribute, and plotting all the events arrived within the time period and including an attribute 

1 5 value allocated to the new primary attribute into the cross plot with the fourth display label 

1 6 indicating the new primary attribute, the position of the fourth display label of each event in the 

17 cross plot being determined on the basis of the attribute value of the primary attribute of the 

1 8 event and its arrival time. Thus claim 5 is allowable over Ma. 

19 Re Claim 6: 

20 Ma further discloses the operator selects the events to be plotted and displaying textual 

21 and coloring information associated with the selected events on the event display (Page 4 

22 and Figs. 6,7,9-10). 

23 In response, applicants respectfully state that claim 6 reads, 

24 6. The method according to claim 1 comprising the iurther steps of plotting all attribute 

25 values recorded for an event with the respective display label into the cross plot if the 

26 event is selected by an operator, and displaying textual information associated with the 

27 selected event on the event display. 

28 Ma is not concerned with the test and step of claim 6 of, "plotting all attribute values recorded 

29 for an event with the respective display label into the cross plot if the event is selected by an 
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1 operator, and displaying textual information associated with the selected event on the event 

2 display. Thus claim 6 is allowable over Ma. 

3 Re Claim 7: 

4 Ma further discloses a pattern algorithm such as the data mining algorithm suitable to 

5 perform multi-attribute pattern recognition (Figs. 6, 7, 0. 10). 

6 In response, applicants respectfully state that claim 7 reads, 

7 7. The method according to claim 1 , wherein the pattern algorithm is suitable to perform 

8 multi-attribute pattern recognition. 

9 There is apparently no indication that Ma is concerned with multi-attribute pattern recognition or 

1 0 even any pattern recognition. Being allegedly suitable is indeed not an anticipation of the 

1 1 invention in claim 7. Thus claim 7 is allowable over Ma, 

12 Re Claim 8: 

13 Ma further discloses using color such as Red and Green to color the pattern Spikes and 

14 Pattern 7, Pattern 2> Pattern 3, Pattern 4 for specific mark layouts (Figs. 6, 7.9-10). 

15 In response, applicants respectfully state that claim 8 reads, 

16 8- (original) The method according to claim 1, wherein each display label includes a 

1 7 specific color and/or a specific mark layout, 

18 Ma's use of colors is apparently not similar or anticipate of the use of color in claim 8. Thus 

19 claim 8 is allowable over Ma. 

20 Re Claim 9: 

21 Ma farther discloses all events being uncovered as part of the pattern being clustered by 

22 the display label such as Red Spikes, Green Spikes (Figs. 6 t 7 and 9-10). 

23 In response, applicants respectfully state that claim 9 reads, 

24 9. (original) The method according to claim 1, wherein all events being uncovered as part 

25 of the pattern are clustered by the corresponding display label. 

26 There is apparently no indication that Ma is at all concerned with clusters or clustering as in 

27 claim 9. Thus claim 9 is allowable over Ma 

28 Re Claim 10: 
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1 Ma further discloses a data mining algorithm and GUI(page 14). 

2 In response, applicants respectfully state that the response to claim 1 is appropriate to claim 1 0 

3 which depends thereupon. The program code is the that of claim 1 , which is not anticipated by 

4 Ma Thus claim 10 is allowable over Ma. 

5 Re Claim 11: 

6 Ma further discloses the program code being stored on data carrier 

7 (see page 5). 

8 In response, applicants respectfully state that there is apparently no indication that Ma discloses 

9 or is concerned with a data carrier as in claim 1 1 . Thus claim 1 1 is allowable over Ma. 

10 Re Claim 12: 

1 1 Ma further discloses an event visualization device for monitoring events in a computer 

12 network (Page 3). 

13 In response, applicants respectfully state that the response to claim 1 is appropriate to claim 12, 

14 which depends thereupon. The device is for performing the steps of claim 1, which is not 

1 5 anticipated by Ma, Thus claim 12 is allowable over Ma. 

16 Re Claims 13-15: 

1 7 Ma farther discloses an implementation of the Event Miner algorithm on the computer 

18 (Page 4-5). 

19 In response, applicants respectfully state that the response to claim 1 is appropriate to claims 

20 13-15, which depends thereupon. The article of manufacture of claim 13 is for performing the 

21 steps of claim 1, which is not anticipated by Ma. The program storage device of claim 14 is for 

22 performing the steps of claim 1 s which is not anticipated by Ma, The product of claim 1 5 is for 

23 perforating the functions of claim 12, which is not anticipated by Ma. Thus claims 13-15 are 

24 allowable over Ma. 

25 Thus these claims and all claims that depend upon these claims are allowable over the cited art. 

26 Thus, claims 1-15 are allowable. Claims 16-20 are added. A listing of the claims is provided as 

27 required in the new USPTO amendment practice per 3 7 CFR 1.121. 
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1 It is anticipated that this amendment brings the application to allowance of claims 1 -20. 

2 Favorable action is respectfully solicited. In the unlikely event that any claim remains rejected, 

3 please contact the undersigned by phone in order to discuss the application. 

4 Please charge any fee necessary to enter this paper to deposit account 50-05 1 0. 

5 Respectfully submitted, 

6 By- S^^^q^ 

7 Dr. Louis P. HerzSerg 

8 Reg. No. 41,500 

9 Voice Tel. (845) 352-3194 

10 Fax. (914) 945-3281 

11 3 Cloverdale Lane 

12 Monsey, NY 10952 

1 3 Customer Number: 54856 
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